<p>In Unix file system permissions, the "<code>others</code>" category refers to all users except the owner of the file system resource and the
members of the group assigned to this resource.</p>
<p>Granting permissions to this category can lead to unintended access to files or directories that could allow attackers to obtain sensitive
information, disrupt services or elevate privileges.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> The application is designed to be run on a multi-user environment. </li>
  <li> Corresponding files and directories may contain confidential information. </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>The most restrictive possible permissions should be assigned to files and directories.</p>
<h2>Sensitive Code Example</h2>
<p>Node.js <a href="https://nodejs.org/api/fs.html"><code>fs</code></a></p>
<pre data-diff-id="1" data-diff-type="noncompliant">
const fs = require('fs');

fs.chmodSync("/tmp/fs", 0o777); // Sensitive
</pre>
<pre data-diff-id="2" data-diff-type="noncompliant">
const fs = require('fs');
const fsPromises = fs.promises;

fsPromises.chmod("/tmp/fsPromises", 0o777); // Sensitive
</pre>
<pre data-diff-id="3" data-diff-type="noncompliant">
const fs = require('fs');
const fsPromises = fs.promises

async function fileHandler() {
  let filehandle;
  try {
    filehandle = fsPromises.open('/tmp/fsPromises', 'r');
    filehandle.chmod(0o777); // Sensitive
  } finally {
    if (filehandle !== undefined)
      filehandle.close();
  }
}
</pre>
<p>Node.js <a href="https://nodejs.org/api/process.html#process_process_umask_mask"><code>process.umask</code></a></p>
<pre data-diff-id="4" data-diff-type="noncompliant">
const process = require('process');

process.umask(0o000); // Sensitive
</pre>
<h2>Compliant Solution</h2>
<p>Node.js <a href="https://nodejs.org/api/fs.html"><code>fs</code></a></p>
<pre data-diff-id="1" data-diff-type="compliant">
const fs = require('fs');

fs.chmodSync("/tmp/fs", 0o770);
</pre>
<pre data-diff-id="2" data-diff-type="compliant">
const fs = require('fs');
const fsPromises = fs.promises;

fsPromises.chmod("/tmp/fsPromises", 0o770);
</pre>
<pre data-diff-id="3" data-diff-type="compliant">
const fs = require('fs');
const fsPromises = fs.promises

async function fileHandler() {
  let filehandle;
  try {
    filehandle = fsPromises.open('/tmp/fsPromises', 'r');
    filehandle.chmod(0o770);
  } finally {
    if (filehandle !== undefined)
      filehandle.close();
  }
}
</pre>
<p>Node.js <a href="https://nodejs.org/api/process.html#process_process_umask_mask"><code>process.umask</code></a></p>
<pre data-diff-id="4" data-diff-type="compliant">
const process = require('process');

process.umask(0o007);
</pre>
<h2>See</h2>
<ul>
  <li> OWASP - <a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">Top 10 2021 Category A1 - Broken Access Control</a> </li>
  <li> OWASP - <a href="https://owasp.org/Top10/A04_2021-Insecure_Design/">Top 10 2021 Category A4 - Insecure Design</a> </li>
  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control">Top 10 2017 Category A5 - Broken Access Control</a>
  </li>
  <li> <a
  href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission">OWASP File Permission</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/732">CWE-732 - Incorrect Permission Assignment for Critical Resource</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/266">CWE-266 - Incorrect Privilege Assignment</a> </li>
  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222430">Application Security and
  Development: V-222430</a> - The application must execute without excessive account permissions. </li>
</ul>
